2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-16 20:03:41 +01:00

show which TLS protocols can't be used for testing

The warning message will always be shown (echo'ed instead of verbose)
This commit is contained in:
Peter Mosmans 2014-11-22 18:32:06 +10:00
parent 818bf29b02
commit 561df82a4a

View File

@ -12,6 +12,9 @@ DOBENCHMARK=0
BENCHMARKITER=30 BENCHMARKITER=30
OPENSSLBIN="$(dirname $0)/openssl" OPENSSLBIN="$(dirname $0)/openssl"
# default string of TLS protocols
TLSPROTOCOLS="-ssl2 -ssl3 -tls1 -tls1_1 -tls1_2"
# test that timeout or gtimeout (darwin) are present # test that timeout or gtimeout (darwin) are present
TIMEOUTBIN="$(which timeout)" TIMEOUTBIN="$(which timeout)"
if [ "$TIMEOUTBIN" == "" ]; then if [ "$TIMEOUTBIN" == "" ]; then
@ -108,6 +111,19 @@ debug(){
fi fi
} }
check_tls_protocols() {
tls_protocols=""
for supported_protocol in ${TLSPROTOCOLS}; do
${OPENSSLBIN} s_client "${supported_protocol}" 2>&1 | grep -q "unknown option"
if [ $? -eq 0 ]; then
# always show warning message as it's important to know what won't be tested
echo "${supported_protocol} not supported by ${OPENSSLBIN}"
else
tls_protocols="${tls_protocols} ${supported_protocol}"
fi
done
}
c_hash() { c_hash() {
local h=$(${OPENSSLBIN} x509 -hash -noout -in "$1/$2" 2>/dev/null) local h=$(${OPENSSLBIN} x509 -hash -noout -in "$1/$2" 2>/dev/null)
for ((num=0; num<=100; num++)) ; do for ((num=0; num<=100; num++)) ; do
@ -234,7 +250,7 @@ test_cipher_on_target() {
pfs="" pfs=""
previous_cipher="" previous_cipher=""
certificates="" certificates=""
for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2" for tls_version in ${tls_protocols}
do do
# sslv2 client hello doesn't support SNI extension # sslv2 client hello doesn't support SNI extension
# in SSLv3 mode OpenSSL just ignores the setting so it's ok # in SSLv3 mode OpenSSL just ignores the setting so it's ok
@ -694,7 +710,7 @@ fi
SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}") SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}")
debug "sclientargs: $SCLIENTARGS" debug "sclientargs: $SCLIENTARGS"
check_tls_protocols
cipherspref=(); cipherspref=();
ciphercertificates=() ciphercertificates=()
results=() results=()